Add more rules

CHANGELOG.md

@@ -12,9 +12,11 @@ Note that the use of semantic versioning applies to the command-line interface a
 ### Additions
 - New rules:
 
+    - `Anthropic API Key` ([#247](https://github.com/praetorian-inc/noseyparker/pull/247))
     - `Firecrawl API Key` ([#244](https://github.com/praetorian-inc/noseyparker/pull/244))
     - `Generic Secret` x2 ([#244](https://github.com/praetorian-inc/noseyparker/pull/244))
     - `Generic Username and Password` x2 ([#244](https://github.com/praetorian-inc/noseyparker/pull/244))
+    - `Gitalk OAuth Credentials` ([#247](https://github.com/praetorian-inc/noseyparker/pull/247))
     - `Groq API Key` ([#244](https://github.com/praetorian-inc/noseyparker/pull/244))
 
 ### Fixes

README.md

@@ -10,7 +10,7 @@ It has found secrets in hundreds of offensive security engagements at [Praetoria
 
 **Key features:**
 - **Flexiblity:** It natively scans files, directories, GitHub, and Git history, and has an extensible input enumeration mechanism
-- **Field-tested rules:** It uses regular expressions with [168 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high precision based on feedback from security engineers
+- **Field-tested rules:** It uses regular expressions with [169 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high precision based on feedback from security engineers
 - **Signal-to-noise:** It deduplicates matches that share the same secret, reducing review burden by 10-1000x or more
 - **Speed & scalability:** it can scan at GB/s on a multicore system, and has scanned inputs as large as 20TB during security engagements
 

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap

@@ -2,4 +2,4 @@
 source: crates/noseyparker-cli/tests/rules/mod.rs
 expression: stdout
 ---
-168 rules and 3 rulesets: no issues detected
+170 rules and 3 rulesets: no issues detected

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap

@@ -99,6 +99,30 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.anthropic.1",
+      "structural_id": "af4099fe0621255b2eef7a5189583ad08e1411e1",
+      "name": "Anthropic API Key",
+      "syntax": {
+        "name": "Anthropic API Key",
+        "id": "np.anthropic.1",
+        "pattern": "(?x)\n\\b\n(sk-ant-api[0-9]{2}-[a-zA-Z0-9_-]{95})\n(?: [^a-zA-Z0-9_-] | $ )\n",
+        "description": "An Anthropic API key was found. Anthropic is an AI company. An attacker could use this API key to consume limited resources, cause denial-of-service, or access internal fine-tuned models.\n",
+        "examples": [
+          "sk-ant-api03-jSq6OMjv1syXaEUE0bvOckLe_GtCKy8lvZdko3eOJgV8TH-f2iyzRekyZNSby5d9ScikGYuqQhsrxML3X3N3rQ-XwQaQAAA",
+          "sk-ant-api03-f-SD8UXTHZuL3dhlRLMzMh7sxOopjFG510MC0B6g5Whzu2gM6gYJrQUduYWWQkG8XvkjeVj-MfYvtzMBF7NXSg-W34tmAAA"
+        ],
+        "negative_examples": [],
+        "references": [
+          "https://docs.anthropic.com/en/api/getting-started",
+          "https://support.anthropic.com/en/articles/9767949-api-key-best-practices-keeping-your-keys-safe-and-secure"
+        ],
+        "categories": [
+          "api",
+          "secret"
+        ]
+      }
+    },
     {
       "id": "np.appsync.1",
       "structural_id": "1a653a8d9b81fd1ef03814630e219dfcd01d847b",
@@ -1490,6 +1514,33 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.gitalk.1",
+      "structural_id": "f0cc3189bc13e0013683fce0161c8a211464f52d",
+      "name": "Gitalk OAuth Credentials",
+      "syntax": {
+        "name": "Gitalk OAuth Credentials",
+        "id": "np.gitalk.1",
+        "pattern": "(?x)\n\\b\nnew \\s+ Gitalk \\s* \\( \\s* \\{ \\s*\n  clientID: \\s* '([a-f0-9]{20})', \\s*\n  clientSecret: \\s* '([a-f0-9]{40})',\n",
+        "description": "Gitalk OAuth credentials were found. Gitalk is a GitHub-based commenting system. An attacker may be able to use these credentials to impersonate the Gitalk app and control its data.\n",
+        "examples": [
+          "new Gitalk({\n  clientID: 'd17d49be2e680b78a83d',\n  clientSecret:'9363cb456dda6402cb71d65092490e75c9f11873',\n"
+        ],
+        "negative_examples": [
+          "'\\\\n    <script type=\"text/javascript\">'+\n'\\\\n        const gitalk = new Gitalk({'+\n'\\\\n        clientID: \\\\'2e62dee7b9895e3eede6\\\\','+\n'\\\\n        clientSecret: \\\\'ca6819a54657af0d87960af15315319f8a628a53\\\\','+\n'\\\\n        repo: \\\\'AiLearning\\\\','+\n",
+          "var gitalk = new Gitalk({\n    \"clientID\": \"7bf1e92eaff34fd005dc\",\n    \"clientSecret\": \"d151c7bc86d545dafe2c1de75e3a174623230a2a\",\n    \"repo\": \"wibble.github.io\",\n"
+        ],
+        "references": [
+          "https://gitalk.github.io",
+          "https://github.com/gitalk/gitalk"
+        ],
+        "categories": [
+          "api",
+          "secret",
+          "fuzzy"
+        ]
+      }
+    },
     {
       "id": "np.github.1",
       "structural_id": "f6c4fca24a1c7f275d51d2718a1585ca6e4ae664",
@@ -4215,7 +4266,7 @@ expression: stdout
     {
       "id": "default",
       "name": "Nosey Parker default rules",
-      "num_rules": 147
+      "num_rules": 149
     },
     {
       "id": "np.assets",

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap

@@ -8,6 +8,7 @@ expression: stdout
  np.adobe.1           Adobe OAuth Client Secret                                     api, secret 
  np.age.1             Age Recipient (X25519 public key)                             identifier 
  np.age.2             Age Identity (X22519 secret key)                              secret 
+ np.anthropic.1       Anthropic API Key                                             api, secret 
  np.appsync.1         AWS AppSync API Key                                           api, secret 
  np.arn.1             Amazon Resource Name                                          api, identifier 
  np.artifactory.1     Artifactory API Key                                           api, fuzzy, secret 
@@ -63,6 +64,7 @@ expression: stdout
  np.generic.7         Credentials in .NET System.Net.NetworkCredential              fuzzy, generic, secret 
  np.generic.8         Credentials in .NET System.DirectoryServices.DirectoryEntry   fuzzy, generic, secret 
  np.generic.9         Sensitive Value in .NET Configuration                         fuzzy, generic, secret 
+ np.gitalk.1          Gitalk OAuth Credentials                                      api, fuzzy, secret 
  np.github.1          GitHub Personal Access Token                                  api, secret 
  np.github.2          GitHub OAuth Access Token                                     api, secret 
  np.github.3          GitHub App Token                                              api, secret 
@@ -175,6 +177,6 @@ expression: stdout
 
  Ruleset ID   Ruleset Name                         Rules 
 ─────────────────────────────────────────────────────────
- default      Nosey Parker default rules             147 
+ default      Nosey Parker default rules             149 
  np.assets    Nosey Parker asset detection rules      15 
  np.hashes    Nosey Parker password hash rules         6

crates/noseyparker/data/default/builtin/rules/anthropic.yml

@@ -0,0 +1,26 @@
+rules:
+
+- name: Anthropic API Key
+  id: np.anthropic.1
+
+  pattern: |
+    (?x)
+    \b
+    (sk-ant-api[0-9]{2}-[a-zA-Z0-9_-]{95})
+    (?: [^a-zA-Z0-9_-] | $ )
+
+  categories: [api, secret]
+
+  description: >
+    An Anthropic API key was found.
+    Anthropic is an AI company.
+    An attacker could use this API key to consume limited resources, cause
+    denial-of-service, or access internal fine-tuned models.
+
+  examples:
+  - 'sk-ant-api03-jSq6OMjv1syXaEUE0bvOckLe_GtCKy8lvZdko3eOJgV8TH-f2iyzRekyZNSby5d9ScikGYuqQhsrxML3X3N3rQ-XwQaQAAA'
+  - 'sk-ant-api03-f-SD8UXTHZuL3dhlRLMzMh7sxOopjFG510MC0B6g5Whzu2gM6gYJrQUduYWWQkG8XvkjeVj-MfYvtzMBF7NXSg-W34tmAAA'
+
+  references:
+  - https://docs.anthropic.com/en/api/getting-started
+  - https://support.anthropic.com/en/articles/9767949-api-key-best-practices-keeping-your-keys-safe-and-secure

crates/noseyparker/data/default/builtin/rules/gitalk.yml

@@ -0,0 +1,43 @@
+rules:
+
+- name: Gitalk OAuth Credentials
+  id: np.gitalk.1
+
+  pattern: |
+    (?x)
+    \b
+    new \s+ Gitalk \s* \( \s* \{ \s*
+      clientID: \s* '([a-f0-9]{20})', \s*
+      clientSecret: \s* '([a-f0-9]{40})',
+
+  categories: [api, secret, fuzzy]
+
+  description: >
+    Gitalk OAuth credentials were found.
+    Gitalk is a GitHub-based commenting system.
+    An attacker may be able to use these credentials to impersonate the Gitalk
+    app and control its data.
+
+  references:
+  - https://gitalk.github.io
+  - https://github.com/gitalk/gitalk
+
+  examples:
+  - |
+      new Gitalk({
+        clientID: 'd17d49be2e680b78a83d',
+        clientSecret:'9363cb456dda6402cb71d65092490e75c9f11873',
+
+  negative_examples:
+  - |
+      '\\n    <script type="text/javascript">'+
+      '\\n        const gitalk = new Gitalk({'+
+      '\\n        clientID: \\'2e62dee7b9895e3eede6\\','+
+      '\\n        clientSecret: \\'ca6819a54657af0d87960af15315319f8a628a53\\','+
+      '\\n        repo: \\'AiLearning\\','+
+
+  - |
+      var gitalk = new Gitalk({
+          "clientID": "7bf1e92eaff34fd005dc",
+          "clientSecret": "d151c7bc86d545dafe2c1de75e3a174623230a2a",
+          "repo": "wibble.github.io",

crates/noseyparker/data/default/builtin/rulesets/default.yml

@@ -15,6 +15,7 @@ rulesets:
   - np.adafruit.1     # Adafruit IO Key
   - np.adobe.1        # Adobe OAuth Client Secret
   - np.age.2          # Age Identity (X22519 secret key)
+  - np.anthropic.1    # Anthropic API Key
   - np.artifactory.1  # Artifactory API Key
   - np.appsync.1      # AWS AppSync API Key
   - np.aws.2          # AWS Secret Access Key
@@ -65,6 +66,7 @@ rulesets:
   - np.generic.12     # Generic Password
   - np.generic.13     # Generic Credentials
   - np.generic.14     # Generic Credentials
+  - np.gitalk.1       # Gitalk OAuth Credentials
   - np.github.1       # GitHub Personal Access Token
   - np.github.2       # GitHub OAuth Access Token
   - np.github.3       # GitHub App Token